Google sets untrust schedule for Chrome over Symantec certificates

Google has finalized a schedule that, over the next 12 months, will send companies scrambling to replace the digital certificates that secure their websites or risk being viewed with suspicion by users running Chrome, the world’s most popular browser.

“Companies are staring down the barrel of a boat load of work,” said David Anthony Mahdi, a research director at Gartner, and the industry research firm’s resident expert on digital certificates and the CAs (certificate authorities) that issue them. “This is massive.”

Beginning with Chrome 66, currently set to show up the third week of April next year, Google will “remove trust in Symantec-issued certificates issued prior to June 1, 2016,” wrote three members of the browser’s security team, in a post to a company blog. “If you are a site operator with a certificate issued by a Symantec CA prior to June 1, 2016, then prior to the release of Chrome 66, you will need to replace the existing certificate with a new certificate from any Certificate Authority trusted by Chrome.”

A follow-up version of Chrome, slated for debut a little more than a year from now, will untrust every Symantec certificate, no matter when it was issued. When Google removes trust from the certificates, users will begin seeing messages, some explicit, others subtler, informing them that the connection between them and the website is insecure.

Google Chrome will stop trusting older Symantec certificates

Broken trust

Chrome will stop trusting any security certificates issued by Symantec, Google has confirmed.

In a blog post, Chrome Security’s Devon O’Brien, Ryan Sleevi and Andrew Whalley say that certificates from the security firm will be “distrusted,” starting with version Chrome 66. This affects all certificates issued before June 1, 2016.

At the same time, Symantec is working with webmasters to switch to Digi Cert certificates, after the company bought the firm’s failing web security business.

Chrome 66 is expected to arrive in June next year, so the final shutdown should expected with Chrome 70 next October. This will, as Google puts it, “fully remove trust in Symantec’s old infrastructure and all of the certificates it has issued.”

For the uninitiated, Google decided to remove Symantec certificates after it had found a couple of certificates in 2015 which didn’t adhere to industry standards. An in-depth investigation has confirmed that Symantec had actually outsourced the job to other companies and failed to oversee it properly.

Webmasters that want to keep old Symantec certificates should be aware that there is a 13-month limit.

According to The Inquirer, Symantec’s CEO Greg Clark said their customers will have a world-class experience moving forward.

“We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation,” he said.

“I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions.”

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Image Credit: Lane V Erickson / Shutterstock

Chrome 70 Symantec Certificates Update Leaks

Google has planned on killing off Symantec certificates for Chrome 66. It was a decision based on a lot of issues caused over time, for example unreliable certificates such as example.com or test.com ran off tracks. Symantec issued certificates to different organizations with little oversight or appropriate investigation.

Site Operators Must Replace their Symantec Certificates

The certificates will no longer exist in March 2018 and until then Google has added some of their plans between this year and the due date. The certificates prior to June 1, 2016 will no longer be active in Chrome 66. Site operators who have Symantec certificates must replace their certificate with others that are trusted by Chrome.

After March-April 2018, Chrome will start to send warnings to those who haven’t got trusted certificates.

Symantec Handles their Infrastructure to DigiCert

On the other side, Symantec is giving their infrastructure to DigiCert and will be up and running until December, 2017. In order for DigiCert to be in accords with Google’s ultimatum they will have to oversee certificate sales by running PKI infrastructure and Managed Partner Infrastructure.

Until the ultimatum Google has added that the old Symantec infrastructure will be in a list of all untrusted certificates, a list which will be contained in a future update for Chrome.

If You Get Certificates from Symantec Until December You’ll have to Get New Ones Because of the Chrome 70 Update

Site owners will have to undergo several steps in order to get other certificates. In Chrome 70 all certificates that are related or have roots to Symantec will be killed off. The site owners who need certificates from the old Symantec infrastructure will have to get another set of certificate replacements because of the updated Chrome 70.

Note that this change will not affect site owners who don’t use Symantec portfolio certificates or everyday users who just browse the internet.

Google: timeline for distrusting all Symantec Certificates in Chrome

Google published a timeline recently on the Google Security blog which highlights the timeline for dropping support for Symantec-issued certificates in Chrome.

The company plans to drop full support in Chrome 70, but will distrust certificates that were issued before June 1, 2016 as early as March 15, 2018 (Chrome 66).

The core of the issue surrounding Symantec certificates — the business operates under brand names such as VeriSign, Thawte, Equifac, RapidSSL or GeoTrust — is that Symantec “entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight” according to Google.

symantec certificate google chrome firefox

Symantec was aware of these security deficiencies, and incidents in the past showed just how bad it was. In 2015 for instance, certificates were created covering five organizations including Google and Opera without the knowledge of the organizations involved.

Symantec came to an agreement with DigiCert under which DigiCert will acquire Symantec’s website security and PKI solutions business.

Google plans to remove trust from all Symantec-issued certificates in Chrome in the coming year. The company published a timeline that highlights the most important dates of the process.

  • October 24, 2017 — Chrome 62 Stable — Chrome highlights if a certificate of a site will be distrusted when Chrome 66 gets released.
  • December 1, 2017 — DigiCert’s new infrastructure will be “capable of full issuance”. Certificates issued by Symantec’s old infrastructure from this point forward will cease working in future updates. This won’t affect certificates issued by DigiCert.
  • March 15, 2018 — Chrome 66 Beta — Any Symantec issued certificate before June 1, 2016 is distrusted. Sites won’t load but throw a certificate alert instead.
  • September 13, 2018 — Chrome 70 Beta — Trust in Symantec’s old infrastructure is dropped entirely in Google Chrome. This won’t affect DigiCert issued certificates, but will block any site that uses old certificates.

Chrome users cannot really do anything about this, as website operators need to switch to a certificate that is still trusted by Google as early as March 14, 2018. The only option that users of the browser have is to let website operators know about certificate issues should they not be aware of this.

Mozilla will match the dates proposed by Google earlier according to a post by Gervase Markham on the Mozilla Dev Security Policy group.

Webmasters who run sites with Symantec certificates need to add new certificates to their web properties before the deadline to ensure continued access to those properties. One option that webmasters have is to use Lets Encrypt which offers free and automated certificates.

Summary

Article Name

Google: timeline for distrusting all Symantec Certificates in Chrome

Description

Google published a timeline recently on the Google Security blog which highlights the timeline for dropping support for Symantec-issued certificates in Chrome.

Author

Martin Brinkmann

Publisher

Ghacks Technology News

Logo

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

Neon Chrome Preview – Preview

This roguelike shooter brings on an intense challenge but there’s plenty of twin-stick shooting action to come with it.

Long before it was announced as a Nindie, or even the Switch was fully-revealed, I was a fan of Neon Chrome on PC. It was one of the earliest roguelikes I played and once it got its hooks into me it also became one of my favorites. In this action-heavy twin-stick shooter you’ll get in a chair and inhabit the body of an avatar of sorts, always getting to choose between 3 distinct classes (each with its own enhancements and perks/deficiencies), that you’ll use to try to get further into the 30 levels of an office building, eventually facing off against the Overseer for control of Neon Chrome.

While it gets off to a very challenging start as you progress, collect money, unlock new weapons, and upgrade your abilities, you’ll slowly begin to become more powerful and capable of getting further into the game. About every 5 levels you’ll additionally be challenged to defeat a boss, which typically leads to a hectic and difficult fight.

The beauty in the game is that once you get rolling and have unlocked many of the game’s perks you will end up with a substantial number of options to control the flow of the game to suit your style of play. You’ll be able to play in a more stealthy way, hiding in shadows and setting up lethal ambushes, or barrel into situations with your guns blazing and shooting through walls to surprise your enemies, or any number of variations in between. Since you have limited control over which power-ups will be available to you, or when, in a given run you’ll need to learn to be versatile. Regardless of your loadout you’ll be able to wreak havoc and have some fun.

What I enjoy most about the game is the tendency for well-laid plans to go to hell in a hurry, leaving you to improvise quickly to get yourself out of trouble. Floor layouts and the placement of enemies can vary substantially from run to run but one constant is the tendency for there to be periodic well-placed tanks that will explode when you shoot them to help you shake things up nicely. If you’re up for a challenge to your brain, your shooting skills, and inevitably your patience at times, look for Neon Chrome to deliver them later this year on the Nintendo Switch.

This preview is based on the current PC version of the game which should be representative of the gameplay and general functionality of the version that will be ported to the Nintendo Switch.

Sling TV now available in Google Chrome on Windows and macOS

Sling TV On_Now_Screen_Final

Making a streaming service available on as many platforms as possible is key to attracting more and more customers in the cord-cutting era, and, to that end, Sling TV is now opening its doors to Google Chrome users.

Sling TV says that its new player, which is available in beta at this stage, can be used by Chrome users on Windows devices and Macs and comes with support for both live and on-demand content.

“The Sling TV experience on Google Chrome is not only fast, intuitive and incredibly simple to use, it also gives customers the added benefit of seamlessly starting live and on-demand television with a click of their mouse,” says Sling TV vice president of product management Jimshade Chaudhari. “Sling customers can stream their favorite can’t-miss content, like live NFL games or the next episode of ‘Game of Thrones’ on Sling.com without the hassles of downloading plug-ins or logging in to another device.”

In case you are not familiar with Sling TV or its device support, the streaming service was already available to users of PCs and Macs before support for Chrome arrived, but only through a dedicated app. By dropping this requirement, it can better compete in the cord-cutting space against players like Netflix, which have long offered browser support.

Sling TV adds that its browser player is available for the latest version of Chrome, and comes with features like My TV and Continue Watching. Users also have access to their settings and parental controls through the player. The streaming service says that additional features are coming, including DVR and grid guide.

Chrome, according to the latest data from NetMarketShare, has a usage share of 59.57 percent on desktop devices, making it the most-popular browser by far in this market. Microsoft’s aging Internet Explorer comes second with 16.5 percent usage share, followed by Mozilla Firefox with 12.32 percent usage share.

Samsung takes on Google Chrome, expands browser reach

Global Mobile Browser User ShareBI Intelligence

This story was delivered to BI Intelligence Apps and Platforms Briefing subscribers. To learn more and subscribe, please click here.

An update to Samsung’s mobile browser, Samsung Internet, could threaten Google’s mobile browser dominance. Last Thursday, Samsung opened up access to its mobile internet browser to all users on Lollipop (Android 5.1) and later, according to ZDNet, meaning the browser is now available to nearly 75% of Android devices globally. Initially, Samsung’s web browser was accessible only on Samsung devices.

The move to open Samsung’s proprietary web browser to all compatible Android devices makes sense for three key reasons, according to Samsung internet software engineer Jungkee Song. 

  • It expands the reach of Samsung’s experiences. Samsung offers a wide array of devices, including smartphones, tablets, a VR headset, a smartwatch, smart TVs, and home appliances that have mobile web experiences. An open web browser embedded on all devices will offer a variety of different avenues to reach consumers. 
  • It allows Samsung to be at the forefront of delivering new device technologies. The tech firm is constantly developing new technologies — like biosensors, payments, and VR — that run mobile web experiences.
  • It diversifies the mobile web, encouraging innovation. The addition of another mobile browser could foster competition between platforms, presenting opportunities to potentially innovate the mobile web experience that might not be available on bigger browsers like Chrome and Safari.

Samsung is perhaps most well suited to provide a successful alternative to Google’s browser within the Android ecosystem. The phone maker’s browser has roughly 400 million active users (MAU) globally, giving the company a solid foundation to launch across platforms.  

Of course, Samsung has a long way to go to make a dent in Google Chrome’s global market share. As of July 2017, Samsung Internet accounts for just under 7% of the global mobile browser market, compared with Chrome’s 50%, according to StatCounter. 

To receive stories like this one directly to your inbox every morning, sign up for the Apps and Platforms Briefing newsletter. Click here to learn more about how you can gain risk-free access today.

After phishing attacks, Chrome extensions push adware to millions

Enlarge / One of the ads displayed by a fraudulently updated version of the Web Developer extension for Chrome.

Twice in five days, developers of Chrome browser extensions have lost control of their code after unidentified attackers compromised the Google Chrome Web Store accounts used to issue updates.

The most recent case happened Wednesday to Chris Pederick, creator of the Web Developer extension. Last Friday, developers of Copy Fish, a browser extension that performs optical character recognition, also had their account hijacked.

In both cases, the attackers used the unauthorized access to publish fraudulent updates that by default are automatically pushed to all Chrome users who have the extensions installed. The tainted extensions were also available for download in Google’s official Chrome Web Store. Both Pederick and the Copyfish developers said the fraudulent updates did nothing more than inject ads into the sites users visited. The Copyfish developers provided this account that provided a side-by-side comparison of the legitimate and altered code. Pederick has so far not provided documentation of the changes that were pushed out to the more than one million browsers that have downloaded the Web Developer extension.

Converting a useful browser extension into adware is generally little more than an annoyance. Still, the incidents underscore a serious weakness in Chrome, which is widely regarded among security professionals as the safest browser to use. Previous abuse of the Google Chrome Web Store shows that criminals who can modify legitimate extension code can use that capability to take control of social media accounts, execute malicious code, and collect browsing histories and user data.

Low-hanging fruit

Google has poured hundreds of millions of dollars into fortifying the security of Chrome, making it resistant to the kinds of drive-by attacks that used to be common and still happen on occasion to competing browsers. But two Chrome extension account hijackings in five days suggest that extensions are one of the more effective ways attackers can target Chrome users.

In blog-post comments and in an e-mail to Ars, officials with Copyfish developer A9t9 Software said the account used to distribute the Chrome extension wasn’t protected by two-factor authentication, which Google provides for free. (The A9t9 Software account now uses the added protection of two-factor authentication.) The account was compromised after a company employee clicked on a link in a phishing e-mail that purported to be from Google. Shortly after the employee entered the account password into the fraudulent Web page that appeared, the Copyfish account was taken over. A day later, the Copyfish extension was updated with the adware.

Chris Pederick, the developer of the Web Developer extension, said on Twitter that his account was also hijacked through phishing. He didn’t respond to an e-mail seeking comment for this post.

A Google spokeswoman told Ars that two-factor authentication isn’t mandatory for extension developers; she didn’t respond to a follow-up question asking why the additional security is optional.

It’s understandable that Google doesn’t make two-factor authentication mandatory for all account holders. But given Chrome’s track record with security, it’s surprising that the company doesn’t require the added protection for extension developers, who—because of their ability to push code onto millions of users’ computers—represent high-value targets to criminals.

Truly security-conscious users should remember this limitation when deciding whether to install Chrome extensions.

Symantec distrust to begin in Chrome from April 2018

Google has put forward its final proposal to begin distrusting Symantec-issued TLS certificates, with the work to begin when Chrome 66 removes trust from certificates issued prior to June 1, 2016.

The release date for Chrome 66 is slated to be April 17, 2018, with Symantec certificate owners encouraged by Google to replace those certificates, whether through Symantec or another certificate provider.

In mid-October when Chrome 62 is released, the browser’s developer tools will begin warning of certificates encountered that will be impacted by the distrust.

A year later when Chrome 70 is released, it is proposed the browser will distrust any certificate issued by Symantec’s old infrastructure, including those sold after June 1, 2016.

“This includes any replacement certificates issued by Symantec prior to the transition to the non-Symantec-operated ‘Managed Partner Infrastructure’,” Chrome engineering vice president Darin Fisher wrote.

“By these dates, affected site operators will need to have fully replaced any TLS server certificates issued from Symantec’s old infrastructure, using any trusted CA including the new Managed Partner Infrastructure. Failure to migrate a site to one of these two options will result in breakage when Chrome 70 is released.”

According to Fisher, Symantec has said its new Managed Partner Infrastructure will be ready by December 1.

Google first announced its intention to begin distrusting Symantec in March, with the original plan to see the validity window Symantec certificates were valid for reduced to nine months over a series of releases.

Fisher said although the timeline has slipped, it is an appropriate balance between the risk to users, and minimising disruption.

“This time will allow clear messaging and scheduling for site operators to update certificates,” he said.

“While we intend to stick with this schedule, if there is new information highlighting additional security risks with this set of certificates, the dates could change to more rapidly distrust the existing certificates.”

For its part, Symantec previously called for the date of distrust in its certificates issued before June 2016 to be moved to May 1, 2018.

Last week, security researcher Hanno Böck tricked Symantec into incorrectly revoking certificates based on forged private keys.

According to a blog post written by Böck, he registered a pair of domains, received free TLS certificates from Symantec and Comodo, and created a set of fake private keys uploaded to Pastebin for each domain to send to the appropriate certificate provider, along with a request to revoke the certificate because its private key was publicly viewable.

Böck buried his fake keys among a list of genuine publicly viewable private keys, and found that while Comodo did not revoke its certificate, Symantec informed him that they had revoked the entire list.

“Symantec did a major blunder by revoking a certificate based on completely forged evidence,” he said. “There’s hardly any excuse for this and it indicates that they operate a certificate authority without a proper understanding of the cryptographic background.”